Project

General

Profile

Actions

Bug #28948

closed

Session is always started

Added by Christopher Hlubek over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2011-08-12
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

We have severe problems with fb_magento after a recent change in TYPO3 4.5.4. The problem is, that the session is started before Magento is initialized.

I don't see any option in TYPO3 to disable the call to session_start or the FE user initialization at all.

I consider this as a bug, since in some setups you don't want a PHP session (e.g. websites without FE users and session storage) for performance reasons.


Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #28694: PHP Warning: session_start()Closed2011-08-03

Actions
Related to TYPO3 Core - Bug #24456: Information disclosure during backend loginClosed2011-01-03

Actions
Is duplicate of TYPO3 Core - Bug #29274: Regression on session handling for security fixClosedHelmut Hummel2011-08-26

Actions
Actions #1

Updated by Jigal van Hemert over 12 years ago

  • Status changed from New to Needs Feedback

This change was part of a security update. I don't think it will be reverted.

I don't see the problem reported in the typogento bugtracker; in fact there isn't much activity there (latest version is over a year old and that means that there have been new TYPO3 major versions since then).

I don't consider it a bug that TYPO3 starts a session for a user who is not logged in. The problem is probably within the extension.

Can you provide more information why exactly the extension has to rely on the fact that no PHP session was started?

Actions #2

Updated by Thorsten Kahler over 12 years ago

  • Status changed from Needs Feedback to Accepted
  • Target version set to 4.5.6

Jigal van Hemert wrote:

I don't consider it a bug that TYPO3 starts a session for a user who is not logged in. The problem is probably within the extension.

No, it's not:
  1. sessions are now started even in command line mode
  2. it's not possible to have "cookie free domains" (append the session ID to the URL parameters is not an option for security reasons)

Since you both mention a change but don't name it i guess you're talking about 281713c3?

Actions #3

Updated by Helmut Hummel over 12 years ago

  • Status changed from Accepted to Closed

Closed as duplicate

Actions

Also available in: Atom PDF